Federal, state and local governments employ 22 million people—about 14% of the total U.S. workforce. They collect information from residents across a seemingly limitless range of topics. To paraphrase Willie Sutton, government is an obvious target for hackers because that’s where the data is.
Not surprisingly, government agencies have fallen victim to some of the biggest breaches ever. In 2006, for example, thieves stole 26.5 million records from the U.S. Department of Veterans Affairs. In 2015, took 21.5 million records from the the Office of Personnel Management.
The unfortunate reality is that government agencies tend to have lax security. In a 2018 benchmarking report by Thales eSecurity, 57% of public sector respondents said their agencies had been breached in the past year. That’s more than any industry in the private sector and far above the 36% average across all sectors. In all, 70% of government agencies have been breached at some point, according to Thales.
An official report to the president called the federal IT infrastructure “out‑of‑date” and “incapable of operating with the agility and security that is required.”
Securing public IT infrastructure is already a daunting task, given the government’s massive footprint and sprawling mandate. Compounding matters, cybersecurity is “kind of an afterthought” for many agencies, says Steve Tcherchian, CISO at cybersecurity vendor Xypro.
A complete teardown and rebuild isn’t in the cards. But there are concrete steps that government agencies can take to reduce their vulnerability. Here’s a brief list.
More planning, less spending
Government agencies may not have the same robust defenses as leading‑edge companies. But security isn’t just about the latest, greatest systems. Careful planning and a thoughtful approach can make the biggest difference.
“Right now, everyone is focused on adding shiny new tools to their arsenal, but they do a horrible job of making sure the tools are used effectively,” says James Goepel, CEO and general counsel of cybersecurity vendor Fathom Cyber.
Unpatched software and other known problems that no one has bothered to fix generally pose a greater threat than one‑of‑a‑kind hacks, says Sean Convery, general manager of ServiceNow’s security and risk business.
It’s like securing your home, Convery adds. “While it’s fun to think about how to stop a drone from coming out of your chimney, you’re much better off fixing a broken window on the ground floor or a door that’s hanging off its hinge.”
That’s why agencies should start by mapping their attack surface, meaning all the potential points of entry for hackers or malware across networks, applications, and devices.
Goepel offers a tip to keep everyone focused: Share information about vulnerabilities in a way everyone can understand. “When I take my car in for repair, I don’t expect the tech to tell me the 25‑amp P‑channel MOSFET on the analog‑to‑digital converter board shorted out,” he says. “I expect her to tell me my CD player is on the fritz and she can replace it for $175.”
Move to the cloud
Large cloud providers tend to have robust security teams. Moving software and infrastructure to the cloud can save agencies money while fully leveraging the technical expertise and security strengths of those specialized vendors, says David Wagner, CEO and president of Zix, an email encryption company.
This isn’t a new idea. In 2009, the Obama administration adopted a cloud‑first model for federal IT and set a target for agencies to move 15% of their IT spending to the cloud by 2016. No federal agency met the target.
In its official report to the president, the American Technology Council blamed poor prioritization and resource allocation for the debacle. The council suggested several steps to facilitate government’s move to the cloud. They included improving the contracting process, focusing on email and collaboration tools, and adopting a shared‑services approach across agencies.
A better process
The public sector also needs to think differently about security. Agencies can integrate security with IT by adopting an emerging cybersecurity practice called DevSecOps. Inspired by the DevOps software development methodology, DevSecOps brings security into the heart of the software development cycle instead of leaving it until the end, says security expert Mikkel Wilson.
DevSecOps “isn’t a specific product or service, but a cultural shift in how software engineering teams operate,” says Wilson, a volunteer member of the Cloud Security Alliance working group on DevSecOps. “Embedding security engineers into software development teams moves this security and compliance check earlier into the development process where it’s easier and less expensive to make changes.”
Less buying, more evaluation
Government agencies are drowning in vendors trying to sell them security products. Instead of buying, they need to spend more time researching the tools that work best for them, says Craig Koroscil, vice president of cyber education and training at Circadence.
“There are a vast number of competing technologies out there, and usually the best marketing or sales pitch gets them in the door,” he says. Switching costs are high, so agencies often wind up sticking with subpar technologies. To avoid this fate, Koroscil recommends that agencies invest in research, integration and comparison of available technologies.
The bottom line? Security is complicated, especially at the government level. These recommendations don’t negate the need for security best practices like data encryption, multi‑factor authentication, regular software updates, and a robust suite of anti‑malware tools.
But when things aren’t working, a new approach can be the best place to start.